it doesn't matter that you're waiting 3s because you can just do it in parallel.
A little math for you:
An 8 char password using only letters and numbers has roughly 1 x 10^14 permutations. Just for the sake of argument, let's assume that your server and your service provider can actually handle 1000000 simultaneous, parallel requests from 1000000 different IPs.
It can't unless you're Google or Facebook running your own data centers but for the sake of argument let's just ignore that reality and push on.
To check every possible 8 character password by making 1 million parallel attempts at guessing the password every 3 seconds would take roughly 10 years. Luck being what it is, you'd probably only need to check half of them ... but that would still take 5 years.
Back in reality land, you'll be out of business before 5 years because you can't serve your paying customers. 1000000 parallel requests hitting a run of the mill server is effectively a "denial of service" attack.
In reality land using servers that I run, your 1000000 different IPs would all be banned after about 30 seconds.
You're sending two requests either way, it doesn't matter that you're waiting 3s because you can just do it in parallel.